To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
On Sat, May 20, 2006 at 11:57:35PM +0200, Jörg Weber wrote: > I found this funny thing during the weekend: > It connects to symantec.loves.the.cock.pheer.biz 18067 and seems to initiate > something akin to an IRC session: symantec.loves.the.cock.pheer.biz (aka ypgw.wallloan.com, ...) is a well known command & control server - and at least active since March 2005. e.g. --snip-- Report created: 21.03.2005 08:06:31 [ General information ] * File length: 6694 bytes. [ Changes to filesystem ] * Creates file C:\WINDO\hwcl. * Creates file C:\WINDOWS\debug\dcpromo.log. [ Changes to registry ] * Creates key "HKLM\System\CurrentControlSet\Services\hwclock". * Sets value "ImagePath"="C:\WINDO\hwcl" in key "HKLM\System\CurrentControlSet\Services\hwclock". * Sets value "DisplayName"="Hardware Clock Driver" in key "HKLM\System\CurrentControlSet\Services\hwclock". * Creates key "HKLM\Software\Microsoft\ole". * Sets value "enabledcom"="n" in key "HKLM\Software\Microsoft\ole". * Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa". [ Network services ] * Connects to "symantec.loves.the.cock.pheer.biz" on port 18067 (TCP). * Sends data stream (13 bytes) to remote address "symantec.loves.the.cock.pheer.biz", port 18067. * Connects to IRC Server. * Connects to "owjgp.game2max.net" on port 18067 (TCP). * Sends data stream (13 bytes) to remote address "owjgp.game2max.net", port 18067. [ Process/window information ] * Creates service "hwclock (Hardware Clock Driver)" as "C:\WINDO\hwcl". --snap-- -- Tom Fischer _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
